[Snort-users] Securing a Snort machine

Matt Kettler mkettler at ...4108...
Thu Apr 17 08:47:30 EDT 2003

At 03:36 PM 4/17/2003 +1000, Elvira_Byrnes at ...8560... wrote:
>Thanks a lot for your suggestions. What is the proper way to configure an 
>IPless interface on the RedHat? Is it safe to run Webmin on that box?
>Thanks a lot.

Webmin always carries a small degree of risk, since it is a powerful tool 
and is network accessible. If you do run it, make SURE that it's only bound 
to an "inside" interface and make sure that your firewall will NOT allow 
the internet to talk to the IP of that interface. As long as it's running 
only on an inside interface that's protected by a firewall it should be 
safe, but you are depending on the firewall.

Also, one suggestion that (shockingly) nobody on the list mentioned:

It's generaly a wise idea to chroot and setuid your copy of snort. This 
will make it harder to exploit the machine should snort itself contain a 
buffer overflow (ie: like the rpc_decode bug). This is relatively easy to 
do, but does involve building the directories for a chroot jail.

1) make a /home/snort or something of the sort.
2) under it create some directories (note that var needs to be chowned such 
that the user snort runs as can access it. In this example I'm using the 
user nobody, but you can create a special "snort" user. )

         drwxr-xr-x  2 root   root      512 Apr 14 17:25 dev
         drwxr-xr-x  2 root   root      512 Dec 19 21:55 etc
         drwxr-xr-x  2 root   root     1536 Dec 19 16:56 rules
         drwxr-xr-x  2 root   root      512 Dec 19 18:13 sbin
         drwxr-xr-x  4 nobody root      512 Dec 19 20:33 var

under var make a log directory

         drwxr-xr-x  3 nobody  root  512 Dec 19 16:58 log

and under log make a snort directory:
         drwxr-x---  2 nobody  root  1024 Apr 17 01:30 snort

Note I've also made that directory chmod 750 to prevent non-root users 
other than nobody

3) make some entries in dev (note: mknod commands assume linux, these 
values are different on BSD's)
         cd /home/snort/dev
         mknod null c 1 3
         mknod zero c 1 5

4) setup syslog to have a log point within the chroot
         edit /etc/sysconfig/syslog such that SYSLOGD_OPTIONS contains "-a 
         service syslog restart

5) copy your rules into the rules directory of the chroot, and your 
snort.conf into it's etc. also copy snort to the chroot's sbin.

6) make a simple script to start snort with chroot: (modify it to taste)

/home/snort/sbin/snort -c etc/snort-spade.conf -t /home/snort -l 
/var/log/snort -u nobody -i eth0 -D


More information about the Snort-users mailing list